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Office  of  Public  Instruction 
Foundation  Program  Application 


This  report  provides  information  regarding  the  office's  computer- 
based  Foundation  Program  application.   The  application 
processes  over  $300  million  in  school  equalization  payments 
annually.  We  concluded  the  application  design  is  adequate  to 
ensure  data  integrity.   However,  this  report  contains  recommenda- 
tions for  improving  controls  in  the  office's  electronic  data 
processing  environment.   These  recommendations  address: 

*-      Improving  documentation  related  to  electronic  data 
processing  controls,  contingency  planning,  and  systems 
development. 

*■      Increasing  control  procedures  to  ensure  data  integrity. 
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EDP  AUDITS 


Electronic  Data  Processing  (EDP)  audits  conducted  by  the  Office  of  the  Legislative  Auditor 
are  designed  to  assess  controls  in  an  EDP  environment.  EDP  controls  provide  assurance  over 
the  accuracy,  reliability,  and  integrity  of  the  information  processed.  From  the  audit  work, 
a  determination  is  made  as  to  whether  controls  exist  and  are  operating  as  designed.  In 
performing  the  audit  work,  the  audit  staff  uses  audit  standards  set  forth  by  the  United  States 
General  Accounting  Office. 

Members  of  the  EDP  audit  staff  hold  degrees  in  disciplines  appropriate  to  the  audit  process. 
Areas  of  expertise  include  business  and  public  administration  and  computer  science. 

EDP  audits  are  performed  as  stand-alone  audits  of  EDP  controls  or  in  conjunction  with 
financial-compliance  and/or  performance  audits  conducted  by  the  office.  These  audits  are 
done  under  the  oversight  of  the  Legislative  Audit  Committee  which  is  a  bicameral  and 
bipartisan  standing  committee  of  the  Montana  Legislature.  The  committee  consists  of  four 
members  of  the  Senate  and  four  members  of  the  House  of  Representatives. 
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The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

This  is  our  EDP  audit  of  the  Office  of  Public  Instruction's  controls  relating 
to  its  computer-based  Foundation  Program  system.   We  reviewed  the  office's  gen- 
eral controls  related  to  the  microcomputer  environment  which  processes  the  Foun- 
dation Program  application.   In  addition,  we  reviewed  the  office's  Foundation 
Program  application.  This  report  addresses  the  control  weaknesses  we  identified  in 
the  Office  of  Public  Instruction's  EDP  system.  The  office's  written  response  to  our 
audit  recommendations  is  included  in  the  back  of  the  report. 

We  thank  the  superintendent  and  office  personnel  for  their  cooperation  and 
assistance  throughout  the  audit. 

Respectfully  submitted. 


Scott  A.  Seacat 
Legislative  Auditor 
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Introduction 


Our  EDP  audit  evaluated  the  controls  relating  to  the  Office  of 
Public  Instruction's  (OPI)  computer-based  Foundation  Program 
application.   We  reviewed  the  adequacy  of  OPI's  implementation 
of  general  and  application  controls,  as  they  relate  to  the  Founda- 
tion Program  application.   A  discussion  of  general  and  applica- 
tion controls  is  included  on  pages  1  and  2.  The  objectives  and 
scope  of  the  audit  are  discussed  on  pages  2  and  3  of  the  report. 


OPI  owns,  manages,  and  supports  a  wide  area  network,  which 
includes  17  local  area  networks.  These  networks  include  200 
microcomputers,  45  of  which  are  located  outside  the  Helena 
area. 

We  concluded  the  design  of  the  Foundation  Program  application 
is  adequate  to  ensure  data  integrity.   However,  we  identified 
areas  where  controls  could  be  improved  to  ensure  continuity  of 
operations  and  data  security. 


General  Controls 


In  our  review  of  OPI's  general  control  environment,  as  it  relates 
to  the  Foundation  Program,  we  found  organizational  and 
physical  controls  were  adequate.   We  noted  concerns  in  system 
documentation,  system  development,  access  controls,  and  inter- 
nal review  of  the  application. 


Documentation 


According  to  AICPA  audit  guidelines,  "Management  should 
require  various  levels  of  documentation  and  establish  formal 
procedures  to  define  the  system  at  appropriate  levels  of  detail." 
While  we  found  that  most  of  the  general  controls  were  in  place 
and  adequate,  there  was  little  or  no  documentation  of  the  con- 
trols. 


Areas  where  documentation  should  be  improved  include: 
policies  and  procedures  related  to  microcomputer  use  and  appli- 
cation processing,  system  development  policies  and  procedures, 
and  contingency  planning  policies  and  procedures. 
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System  Development 


Systems  development  and  documentation  controls  should  ensure 
effective  controls  are  included  in  all  new  systems  and  should 
preserve  the  integrity  of  application  controls  after  the  system  has 
been  implemented.  These  controls  provide  for  system  documen- 
tation, user  testing,  and  management  approval  before  applica- 
tions are  implemented. 


OPI  personnel  indicated  they  follow  a  systems  development 
approach  to  application  development.   However,  we  found  no 
documentation  to  support  that  position.  The  agency  has  a  steer- 
ing committee,  which  makes  decisions  on  system  testing  and 
changes.   We  found  the  committee  is  not  independent  of  the 
application  operations,  and  their  considerations  and  decisions  are 
not  formally  documented.  We  believe  OPI  should  require 
independent  review  of  all  systems,  and  should  adequately 
document  all  decisions  and  actions  taken  by  the  review  team. 


System  Changes 


We  found  changes  to  the  system  are  subject  to  an  approval  and 
testing  process  which  seems  adequate  to  ensure  proper  changes. 
However,  the  testing  is  not  documented,  and  final  approval  for 
putting  the  change  on-line  is  given  by  the  programming  super- 
visor. We  believe  OPI  should  require  user  management  approval 
before  a  change  is  put  on  line. 


Access  Controls 


Access  controls  provide  electronic  safeguards  designed  to  ensure 
computer  system  resources  are  properly  used.   Logon  IDs  and 
passwords  control  access  to  OPI  computer  systems,  computer 
programs,  and  computer  data.  OPI  has  made  considerable  effort 
to  control  electronic  access.   In  recent  years,  OPI  segregated  the 
operating  and  programming  functions,  and  uses  the  control 
functions  built  into  the  network  software. 


We  found  overall  access  controls  at  OPI  to  be  adequate.  How- 
ever, in  our  review  of  Foundation  Program  access,  we  noted 
three  analysts  with  write  access  to  the  data  who  did  not  need  the 
access  to  perform  their  jobs.   The  risk  of  improper  changes  to 
the  database,  whether  intentional  or  accidental,  is  increased  with 
each  write  access  privilege.  OPI  management  indicated  the 
access  was  given  due  to  a  misunderstanding  of  the  file  access 
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requirements.   We  believe  clarification  of  the  access  rights  and 
job  requirements  through  formal  policies  and  procedures  would 
prevent  this  type  of  misunderstanding  in  the  future. 


Internal  Reviews 


According  to  AICPA  audit  guidelines,  "Internal  auditors  or  some 
other  independent  group  within  an  organization  should  review 
and  evaluate  proposed  systems  at  critical  stages  of  development." 
This  review  should  ensure  the  design,  implementation,  and  test- 
ing phases  were  performed  efficiently,  left  an  audit  trail,  and 
included  adequate  control  procedures. 


Management  indicated  they  have  a  committee  to  review  the 
Foundation  Program  application  during  development.   We  found 
the  committee  was  composed  of  personnel  who  are  directly 
related  to  the  operation  of  the  application,  and  therefore  their 
independence  is  questionable.   In  addition,  the  meetings  are  not 
formally  documented,  leaving  no  audit  trail  of  group  decisions. 
We  believe  OPI  should  require  a  review  by  one  or  more  staff 
members,  independent  of  the  development  team,  of  new  applica- 
tions during  each  development  phase.   In  addition,  OPI  should 
adequately  document  all  development  team  decisions  and  actions. 


Foundation  Program 
Application 


OPI  uses  the  Foundation  Program  application  for  controlling  and 
calculating  the  allocation  of  funds  from  the  state  Equalization 
Aid  Account  in  the  Special  Revenue  Fund  to  local  school  dis- 
tricts. The  application  uses  data  from  the  elementary  and  high 
school  final  budget  reports  submitted  by  Montana  school  dis- 
tricts.  It  then  cross-checks  the  data  with  information  on  other 
files  and  computer-generated  calculations,  to  determine  its 
validity. 


We  performed  an  application  review  of  the  Foundation  Program, 
including  input,  processing  and  output  controls.  Overall,  we 
concluded  the  controls  over  the  Foundation  Program  application 
are  adequate  to  ensure  data  integrity.   However,  we  found  areas 
where  the  controls  could  be  enhanced  to  further  ensure  the 
security  and  integrity  of  the  data.   These  areas  include:  docu- 
mentation, edit  processes,  and  processing  controls. 
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Documentation 


Application  documentation  is  an  essential  component  of  good 
EDP  controls.   Documentation  provides  a  description  of  com- 
puter-processing activities  and  its  impact  on  user  groups. 
Adequate  documentation  provides  a  starting  point  for  under- 
standing a  processing  application.  Documentation  guidelines  are 
listed  on  page  14  of  the  report. 


Areas  where  documentation  should  be  improved  include:   input 
procedures,  edit  creation  and  use,  error  correction  procedures, 
data  transmittal  procedures,  and  output  distribution  policies  and 
procedures.   Agency  personnel  indicated  they  have  not  had  the 
time  or  personnel  to  adequately  document  the  Foundation  Pro- 
gram. We  believe  OPI  should  document  the  application  objec- 
tives, manual  procedures,  error  correction  procedures,  and 
processing  information.  OPI  should  establish  policies  and  proce- 
dures which  ensure  applications  developed  are  adequately  docu- 
mented. 


Edit  Processes 


OPI  incorporates  two  types  of  edits  in  their  data  input  proce- 
dures: on-line  edits  and  pre-processing  edits.  The  on-line  edits 
are  used  to  ensure  only  valid  data  types  are  input  into  the 
specified  fields,  such  as  numeric  only  or  date  only  fields.   We 
found  1 1  fields  in  the  input  records  which  are  designated  as 
alpha-numeric,  while  the  only  valid  data  which  can  be  input  is 
numeric.   These  errors  would  be  fatal  in  the  processing  stage, 
and  could  cause  considerable  delays  in  processing.   We  believe 
the  input  edits  should  be  made  compatible  with  the  related  pre- 
processing edits. 


After  the  data  is  input,  and  prior  to  processing,  it  is  subject  to 
edits  which  test  the  validity  of  the  data  with  other  line-items, 
other  files,  or  computed  amounts.  These  preprocessing  edits  are 
given  a  designation  of  "warning"  or  "fatal,"  according  to  the 
criticality  of  the  data.   A  warning  edit  can  be  bypassed  to  com- 
plete processing.   A  fatal  edit  will  stop  processing  until  the  error 
is  corrected.   We  found  data  correction  personnel  have  the  ability 
to  bypass  the  fatal  edits  by  changing  them  to  warning  edits.  This 
circumvents  the  original  purpose  of  the  fatal  edits.   We  believe 
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OPI  should  restrict  the  ability  to  override  fatal  edits  and  require 
approval  for  all  overrides. 


Processing  Controls 


According  to  AICPA  guidelines,  processing  controls  should  be 
incorporated  into  each  application  to  provide  reasonable  assur- 
ance computer  processing  performs  as  intended.   Controls  should 
ensure  all  transactions  are  processed  as  authorized,  no  authorized 
transactions  are  omitted,  and  no  unauthorized  transactions  are 
added.  This  is  accomplished  through  manual  or  electronic  con- 
trols designed  to  ensure  transactions  passing  through  the  applica- 
tion are  complete  and  accurate.  These  controls  include:   limit 
and  reasonableness  checks,  batch  totals,  and  run-to-run  totals. 


OPI  performs  limit  and  reasonableness  checks  through  the  edit 
process  described  on  page  19.  Through  testing,  we  determined 
those  edits  are  adequate  and  operate  as  described.   While  run-to- 
run  totals  and  hash  totals  are  not  used  by  OPI  to  ensure  com- 
pleteness and  accuracy  of  data,  they  use  key-verification  of 
input  as  a  compensating  control.   In  addition,  we  traced  source 
documentation  through  the  system  and  determined  application 
output  was  correct  at  this  time.   However,  we  believe  processing 
controls  could  be  strengthened,  through  improved  documentation 
and  management  control  over  system  changes.   In  addition,  given 
the  possibility  of  future  on-line  entry  by  the  school  districts,  we 
believe  OPI  should  consider  incorporating  more  controls  within 
the  application,  such  as  hash  totals  and  batch  totals,  to  ensure  all 
data  sent  from  outside  sources  is  actually  received. 


SDminaiy 


In  conclusion,  we  found  the  general  and  application  controls 
were  sufficient  to  ensure  the  integrity  of  the  data  processed  at 
OPI.   The  weaknesses  we  identified  could  compromise  the  integ- 
rity of  the  data  in  the  future.  OPI  has  acknowledged  the  need 
for  improvement  and  has  agreed  to  implement  our  recommenda- 
tions. 
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Introduction 


This  is  an  audit  of  controls  relating  to  the  Office  of  Public 
Instruction's  (OPI)  computer-based  Foundation  Program  appli- 
cation.  We  performed  an  electronic  data  processing  (EDP) 
review  of  the  Foundation  Program  application.   We  selected  OPI 
and  this  application  because  of  the  significance  of  the  dollars 
processed  (over  $300  million)  and  the  continued  legislative 
interest  in  this  program. 


EDP  Andit  General  and 
Application  Controls 


An  EDP  audit  consists  primarily  of  a  review  of  internal  controls. 
In  an  automated  environment  the  procedures  for  reviewing  con- 
trols are  different  from  those  used  in  a  manual  environment. 
However,  the  objective  of  ensuring  the  reliability  of  controls  is 
still  the  same.   EDP  auditing  entails  performing  a  general  and  an 
application  control  review.  The  general  control  review  consists 
of  an  examination  of  the  following  controls  and  objectives: 

Organizational  -  No  one  person  should  be  able  to  conceal 
material  errors  or  irregularities. 

Procedural  -  Daily  operations  should  protect  against  processing 
errors. 

Hardware  and  Software  -  Hardware  and  systems  software  should 
identify  system  malfunctions  and  maintain  operations. 

System  Development  -  System  design  and  maintenance  activities 
should  promote  system  control  and  integrity. 

Physical  Controls  -  Loss  or  destruction  of  assets  and  records 
should  be  prevented  and  continuous  operations  should  be 
assured. 

Access  -  Access  to  hardware  and  electronic  information  should 
be  limited  to  authorized  individuals. 

A  general  control  review  provides  information  regarding  the 
ability  to  control  EDP  applications.   Application  controls  are 
specific  to  a  given  application  or  a  set  of  programs  that 
accomplish  a  specific  objective. 
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Application  controls  consist  of  an  examination  of  the  following 
controls  and  objectives: 

Input  -  Ensure  all  data  is  properly  encoded  to  machine  form,  all 
entered  data  is  approved,  and  all  approved  data  is  entered. 

Processing  -  Ensure  all  data  input  is  processed  as  intended. 

Output  -  All  processed  data  is  reported  and  properly  distributed 
to  authorized  individuals. 

A  review  of  the  application  documentation  and  audit  trail  is  also 
performed.   Applications  must  operate  within  the  general  con- 
trols environment  in  order  for  reliance  to  be  placed  on  them. 


Audit  Objectives 


The  objectives  of  our  EDP  audit  of  the  Office  of  Public  Instruc- 
tion are: 

1 .  To  determine  the  adequacy  of  general  controls  specific  to 
OPI's  use  of  microcomputers  for  the  Foundation  Program 
application. 

2.  To  determine  the  adequacy  of  application  controls  in 
order  to  evaluate  the  adequacy  and  accuracy  of  data  pro- 
cessed by  the  Foundation  Program  application. 


Audit  Scope 


The  audit  was  conducted  in  accordance  with  government  audit 
standards.   We  measured  OPI's  general  and  application  controls 
against  criteria  established  by  the  American  Institute  of  Certified 
Public  Accountants  (AICPA),  General  Accounting  Office 
(GAO),  and  accepted  industry  EDP  guidelines.   We  reviewed 
OPI's  general  controls  related  to  the  microcomputer  environment 
which  processes  the  Foundation  Program  application.   We  inter- 
viewed OPI  personnel  to  gain  an  understanding  of  the  hardware 
and  software  environment  at  the  Office  of  Public  Instruction. 
We  also  reviewed  available  documentation  relevant  to  the  Foun- 
dation Program. 

We  conducted  an  application  control  review  of  the  Foundation 
Program.  We  reviewed  input,  processing,  and  output  controls 
for  this  system  to  ensure  the  system  is  meeting  its  objectives.   We 


Page  2 


Chapter  I 
Introduction  and  Background 


also  determined  if  controls  over  data  are  effective,  efficient,  and 
adequate  to  ensure  the  accuracy  of  data  during  processing 
phases. 


General  Background 


OPI  was  established  by  Section  I,  Article  VI  of  the  Constitution 
of  Montana.  The  Superintendent  of  Public  Instruction  is  elected 
to  serve  a  four-year  term  and  is  responsible  for  the  general  super- 
vision of  the  public  schools  and  districts  of  the  state.   The 
superintendent  is  also  the  ex-officio  secretary  of  the  State  Board 
of  Education  and  the  governing  agent  and  executive  officer  for 
K-12  vocational  education  in  the  state. 


OPI  personnel  provide  services  to  approximately  151,000  school 
age  children  and  9,600  teachers  in  over  530  school  districts. 
Services  include  administration  of  the  Foundation  Program  and 
consultive  and  technical  assistance  in  planning,  implementing, 
and  evaluating  educational  programs  in  areas  such  as  teacher 
preparation,  teacher  certification,  school  accreditation,  school 
curriculum,  school  finance,  and  school  law. 

OPI's  Network  Administration  Division,  consisting  of  three 
system  administrators  and  two  operations  staff,  manages,  plans, 
and  supports  a  wide  area  network,  including  17  local  area  net- 
works. A  network  links  terminals,  storage  devices,  and  programs 
such  as  word  processing  and  spreadsheet  software.  OPI  uses  the 
networks  for  Foundation  Program  processing,  Guaranteed  Tax 
Base  processing,  and  several  other  applications.  These  networks 
include  200  microcomputers:  45  of  which  are  located  outside  the 
Helena  area.   In  addition,  the  division  has  been  responsible  for 
converting  all  computer  processing  at  OPI  to  a  microcomputer 
environment. 


Foundation  Program 


OPI  is  responsible  for  the  administration  of  state  and  federal 
moneys  used  to  fund  Montana's  schools.   The  Montana  Constitu- 
tion directs  the  legislature  to  "provide  a  basic  system  of  free 
quality  education  to  public  elementary  and  secondary  schools" 
and  to  "fund  and  distribute  in  an  equitable  manner  to  the  school 
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districts  the  state's  share  of  the  cost  of  the  basic  elementary  and 
secondary  school  system." 

Montana's  primary  plan  for  school  funding  is  known  as  the 
"foundation  program."  The  foundation  program,  originally 
enacted  by  the  legislature  in  1949,  was  designed  to  equalize 
public  school  financing  throughout  Montana  by  specifying 
budgeting  and  funding  requirements. 

A  state  teacher's  organization  and  68  school  districts  challenged 
the  constitutionality  of  the  foundation  program  on  the  basis  the 
program  denied  equal  education  to  all  students.   This  lawsuit  was 
filed  April  25,  1985,  in  the  First  Judicial  District  in  Helena, 
Montana.  The  lawsuit  was  decided  for  the  plaintiffs,  against 
OPI  and  the  state,  in  January  1988.   The  presiding  judge  made 
the  decision  effective  October  1,  1989,  in  order  to  give  the  1989 
Legislature  an  opportunity  to  correct  the  foundation  program's 
inequities.   Subsequently,  the  State  Supreme  Court  upheld  the 
district  court  decision,  but  only  gave  law  makers  until  July  1, 
1989  to  correct  the  inequities. 

The  legislature  passed  a  school  funding  bill  in  the  June  1989 
special  session  that  was  later  signed  into  law  (Chapter  1 1 ,  Special 
Session  Laws  of  1989)  by  the  governor.   The  new  law  attempted 
to  address  the  funding  equity  issues  in  the  lawsuit.   The  new 
school  foundation  program  law  was  effective  for  use  in  school 
funding  in  state  fiscal  year  1990-91  and  beyond. 

During  fiscal  year  1990-91,  OPI  began  developing  a  computer 
application  designed  to  ensure  district  payments  are  made  in 
accordance  with  the  new  law;  ensure  data  and  payment  accuracy; 
and  eliminate  overpayments  to  districts.   OPI  refers  to  this  appli- 
cation as  the  Foundation  Program.   OPI  management  indicated 
the  application  is  still  in  the  testing  and  acceptance  phase  of 
development.   However,  we  noted  the  application  was  used  to 
calculate  monthly  school  district  payments  during  fiscal  year 
1991-92. 
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Introduction 


General  controls  are  developed  by  the  computer  user  to  protect 
assets  and  limit  losses.   In  our  review  of  OPI's  general  control 
environment,  we  found  organizational  and  physical  controls  ade- 
quate but  noted  weaknesses  in  system  documentation,  system 
development,  access  controls,  and  internal  review  of  the  applica- 
tion.  We  discuss  these  issues  in  the  following  sections. 


Documentation 


According  to  AICPA  audit  guidelines,  "Management  should 
require  various  levels  of  documentation  and  establish  formal 
procedures  to  define  the  system  at  appropriate  levels  of  detail." 
In  addition,  state  law  requires  internal  evaluations  related  to 
specific  general  controls.   In  our  review  of  general  controls,  we 
found  general  control  documentation  to  be  lacking  in  most  areas. 
We  noted  the  following  areas  where  documentation  should  be 
improved. 


Documentation  of  General 
Controls 


The  Office  of  Public  Instruction  has  not  documented  policies 
and  procedures  associated  with  the  implementation  and  mainte- 
nance of  computer  general  controls.   General  control  documen- 
tation at  OPI  should  include  the  following: 

1.  A  plan  of  organization  and  operation  of  the  EDP  activity. 

2.  Provisions  for  security  against  the  accidental  loss  or 
destruction  of  records  and  assurance  of  continuous 
operation  of  the  EDP  function. 

3.  Procedures  for  documenting,  reviewing,  testing,  and 
approving  systems,  programs,  and  changes. 

4.  Existence  of  hardware  and  software  controls. 

5.  Controls  over  access  to  equipment  and  data  files. 

6.  Other  data  and  procedural  controls  affecting  overall  EDP 
operations. 
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In  addition,  section  2-15-114,  MCA,  requires  department  heads 
to  be  "...responsible  for  assuring  an  adequate  level  of  security  for 
all  data  and  information  technology  resources  within  his  depart- 
ment and  shall. ..(4)  ensure  internal  evaluations  of  the  security 
program  for  data  and  information  technology  resources  are  con- 
ducted." 

By  not  documenting  its  policies,  procedures,  and  controls,  OPI 
cannot  ensure  compliance  with  state  law  or  strength  of  system 
controls.   If  general  control  weaknesses  exist,  the  risk  of  system 
misuse,  malfunction,  or  damage  increases,  and  specific  appli- 
cation controls  may  be  ineffective. 

In  general,  we  found  OPI  personnel  follow  certain  policies  and 
procedures  related  to  microcomputer  use  and  application  process- 
ing.  However,  we  noted  these  policies  and  procedures  are  not 
formally  documented.   Industry  standards  suggest  formal  written 
policies  should  be  established  to  prevent  the  misuse  of  computer 
equipment  and  to  hold  employees  accountable  for  use/misuse  of 
computer  equipment.   Manual  processing  procedures  should  be 
formally  defined  to  ensure  continuity  of  computer  operations  in 
the  agency.   In  addition,  through  documentation  of  system 
general  controls  and  internal  evaluations  of  these  controls,  we 
believe  OPI  would  be  in  compliance  with  state  law. 

In  addition  to  OPI's  lack  of  documentation  related  to  micro- 
computer use  and  processing  procedures,  we  noted  documenta- 
tion concerns  related  to  system  development  and  disaster 
recovery.  These  issues  are  discussed  in  further  detail  in  the 
following  sections. 

OPI  personnel  indicated  complete  documentation  of  control 
policies  and  procedures  is  not  possible  given  present  staff 
resources.   Network  Administration  Division  management  agreed 
documentation  was  necessary  and  indicated  a  willingness  to 
improve  general  control  documentation. 
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Recommendation  #1 
We  recommend  OPI: 


B. 

Establish  written  policies  and  procedures  which 
adequately  document  the  implementation  and 
maintenance  of  general  controls. 

Require  periodic  evaluations  of  general  controls  to 
ensure  security  over  computer  data  and  information 
resources  in  compliance  with  state  law. 


Contingency  Planning  OPI  documented  a  general  overview  of  its  disaster  recovery  and 

data  security  plan.   However,  the  details  of  the  disaster  recovery 
plan  are  not  formalized  and  are  known  only  by  the  network 
administration  staff.   In  the  event  those  people  were  not  avail- 
able during  a  disaster  situation,  recovery  could  be  delayed  for  an 
indefinite  period  of  time.   Adequate  documentation  could  assure 
timely  recovery  from  a  disaster  situation. 

OPI's  data  backup  procedures  appear  adequate  to  ensure  applica- 
tion and  system  information  is  not  at  risk  of  loss  due  to  hardware 
failure  or  disasters.   However,  the  backup  procedures  are  not 
documented.   Without  adequate  documentation,  employee 
absence  may  significantly  delay  backup  procedures  which 
increases  the  effect  of  data  loss.  System  managers  indicated 
documentation  was  not  necessary  since  backup  procedures  are 
known  by  more  than  one  individual.  To  adequately  ensure  con- 
tinued and  proper  backup  procedures  in  the  event  of  personnel 
turnover  or  absence,  detailed  backup  procedures  should  be  docu- 
mented. 

In  addition  to  a  backup  plan  for  hardware  and  data,  adequate 
contingency  planning  requires  a  documented  plan  related  to  each 
application.   In  a  disaster  situation,  individuals  responsible  for  an 
application  may  make  critical  decisions  regarding  application 
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restoration.   Restoration  may  include  processing  at  an  alternate 
site  or  reverting  to  manual  procedures.   Whatever  process  is 
planned,  step-by-step  procedures  should  be  documented  to 
ensure  continued  operation.   OPI  does  not  have  a  documented 
contingency  plan  for  the  Foundation  Program  application.   Man- 
agement indicated  a  documented  plan  was  not  necessary.   How- 
ever, given  a  local  disaster,  we  believe  payments  to  districts 
could  be  delayed  indefinitely  unless  a  contingency  plan  is  docu- 
mented. 


Recommendation  #2 

We  recommend  OPI  improve  disaster  recovery  policies  and 
procedures  by: 

A.  Outlining  step- by-step  procedures  for  hardware 
and  application  recovery. 

B.  Documenting  system  backup  procedures. 


Systems  Development 


Systems  development  and  documentation  controls  should  ensure 
effective  application  controls  are  included  in  all  new  systems  and 
should  preserve  the  integrity  of  application  controls  after  the 
system  has  been  implemented.  These  controls  provide  for  system 
documentation,  user  testing,  and  management  approval  before 
applications  are  implemented. 


In  our  general  control  review,  agency  personnel  indicated  they 
follow  a  systems  development  approach.   However,  we  found 
little  documentation  which  supports  this  position.   We  specif- 
ically requested  documentation  related  to  the  Foundation  Pro- 
gram application.   Agency  personnel  could  not  provide  formal 
documentation  which  outlined  application  objectives,  develop- 
ment plans  and  procedures,  or  application  testing.   A  steering 
committee,  consisting  of  programmers,  users,  and  management, 
meets  regularly  to  decide  on  system  testing  and  changes. 
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However,  committee  considerations  and  decisions  are  not 
formally  documented.   We  found  no  written  specifications  which 
document  the  Foundation  Program  objectives,  processing,  test- 
ing, or  management  approval. 

Written  specifications  provide  a  basis  from  which  an  application 
can  be  measured  against  system  objectives  and  user  needs. 
Approval  by  users  and  management  increases  the  chances  the 
system  will  meet  user  needs  and  the  identified  system  objectives. 

In  addition,  written  specifications  provide  a  basis  for  assessing 
the  effect  of  future  program  changes.   Once  a  system  is  in  pro- 
duction, all  changes  made  to  the  application  should  be  ade- 
quately documented,  tested,  and  approved.   OPI  does  have  a 
standard  change  request  form.   However,  we  noted  changes  and 
testing  related  to  the  Foundation  Program  application  were  not 
documented.   In  addition,  we  noted  agency  procedures  require 
the  programming  supervisor  to  approve  program  changes. 
Change  approval  should  be  the  responsibility  of  user  manage- 
ment. 

The  lack  of  system  documentation  increases  the  risk  the  founda- 
tion program  will  not  meet  desired  objectives.  Overall,  undocu- 
mented and  unauthorized  changes  compromise  the  integrity  of 
the  application. 

Agency  management  stated  they  have  not  documented  the  Foun- 
dation Program  because  the  application  is  still  in  development. 
In  addition,  they  indicated  other  responsibilities  have  taken 
priority  over  application  documentation. 

Since  OPI  processed  actual  payment  information  during  fiscal 
year  1991-92,  we  believe  the  system  is  actually  in  production. 
Production  systems  should  be  documented  and  any  changes 
should  be  authorized  and  documented  through  change  request 
forms.   The  goals  and  objectives  of  the  Foundation  Program 
application  should  be  formally  documented.    Finally,  we  believe 
OPI  should  establish  a  target  date  for  completing  documentation 
of  the  Foundation  Program  application. 
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Recommendation  #3 
We  recommend  OPI: 


Establish  a  target  date  to  create  documentation  for 
the  Foundation  Program  application  which  includes 
objectives,  programs,  procedures,  changes,  and 
testing. 

Revise  the  change  request  form  to  require  final 
approval  by  user  management  after  a  change  is 
complete. 


Access  Controls 


Access  controls  provide  electronic  safeguards  designed  to  ensure 
computer  system  resources  are  properly  used.   Logon  IDs  and 
passwords  control  access  to  OPI's  computer  systems,  computer 
programs,  and  computer  data.  System  and  application  pro- 
grammers have  the  highest  degree  of  technical  expertise  in  the 
computer  processing  facility  and  therefore  play  an  important 
role  in  maintaining  the  system.   However,  user  management  has 
the  primary  responsibility  for  maintaining  adequate  controls.  To 
ensure  system  integrity,  management  should  install  appropriate 
controls. 


OPI  has  made  considerable  effort  to  control  electronic  access.   In 
recent  years,  OPI  segregated  the  programming  and  operating 
functions,  ensuring  an  adequate  segregation  of  EDP  functions. 
The  control  functions  built  into  the  network  software  were  used 
to  ensure  only  authorized  levels  of  access  were  given  to  appro- 
priate personnel.  OPI  requires  access  request  forms  from  the 
user  groups  before  system  administrators  will  allow  access  to 
programs  and  data. 
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We  found  the  overall  access  controls  to  be  adequate.   However, 
in  our  review  of  Foundation  Program  access,  we  noted  three 
analysts  with  write  access  to  the  data  who  did  not  need  the  access 
to  perform  their  jobs.  The  risk  of  improper  changes  to  the  data- 
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base,  whether  intentional  or  accidental,  is  increased  with  each 
write  access  privilege.   In  discussion  with  agency  management, 
we  determined  the  access  was  given  due  to  a  misunderstanding 
of  file  access  requirements.   Clarification  of  the  access  rights  and 
job  requirements  through  formal  policies  and  procedures  would 
prevent  this  type  of  misunderstanding  in  the  future. 


Recommendation  #4 

We  recommend  OPI  establish  formal  policies  and  pro- 
cedures which  ensure  electronic  access  rights  are 
appropriately  assigned. 


Internal  Reviews  Needed  According  to  AICPA  audit  guidelines,  "Internal  auditors  or  some 

other  independent  group  within  an  organization  should  review 
and  evaluate  proposed  systems  at  critical  stages  of  development." 
This  review  should  ensure  the  design,  implementation,  and  test- 
ing phases  were  performed  efficiently,  left  an  audit  trail,  and 
included  adequate  control  procedures. 

In  the  development  of  the  Foundation  Program  application,  OPI 
used  an  internal  group  to  evaluate  the  needs  of  the  system.  The 
group  consisted  of  personnel  directly  related  to  the  use  and 
operation  of  the  program.   As  a  result,  we  question  the  indepen- 
dence of  their  review.   In  addition,  the  meetings  are  not  formally 
documented,  leaving  no  audit  trail  of  group  decisions. 

Without  an  independent  review  at  critical  stages  of  development, 
adequate  controls  may  not  be  built  into  the  system.   Implement- 
ing controls  after  a  system  is  placed  into  production  is  often 
impractical  and  costly. 

Management  indicated  an  independent  review  was  not  feasible 
given  the  complexities  of  the  Foundation  Program  application. 
We  believe  a  review  by  one  or  two  staff  members,  independent 
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of  the  development  team,  would  provide  adequate  independence 
to  ensure  sufficient  controls  are  designed  into  the  application. 


Recommendation  #5 
We  recommend  OPI: 

A.  Require  a  review  by  one  or  more  staff  members, 
independent  of  development  team,  of  new 
applications  during  each  development  phase. 

B.  Adequately  document  development  team  decisions 
.   and  actions. 
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Introduction  The  Office  of  Public  Instruction  uses  the  Foundation  Program 

application  for  controlling  and  calculating  the  allocation  of  funds 
from  the  state  Equalization  Aid  Account  in  the  Special  Revenue 
Fund  to  local  school  districts.  The  application  contains  infor- 
mation which  includes: 

1.  School  district  final  budgets. 

2.  Applications  for  isolation  status  and  teacher  aid  requests. 

3.  County  wide  school  funds. 

4.  County  equalization  work  sheet  information. 

5.  Average  number  of  students  belonging  (ANB). 

6.  Certification  of  district  and  county  mill  levies. 

The  application  uses  this  information  to  calculate  payments  made 
to  schools  statewide. 

OPI  designed  the  Foundation  Program  to  use  data  from  the  ele- 
mentary and  high  school  final  budget  reports  OPI  receives  from 
Montana  school  districts.   OPI  personnel  and  employees  from  the 
Rocky  Mountain  Data  Entry  Group  in  Salt  Lake  City,  Utah 
input  budget  report  data  into  the  Foundation  Program  applica- 
tion.  The  application  cross  checks  data  entered  against  validity 
edits  and  data  maintained  on  other  OPI  applications. 

We  performed  an  application  review  of  the  Foundation  Program. 
During  our  review,  we  examined  the  existing  input,  processing, 
and  output  controls.  Overall,  we  concluded  the  controls  over  the 
Foundation  Program  application  are  adequate  to  ensure  data 
integrity.   However,  we  found  areas  where  the  controls  could  be 
enhanced  to  further  ensure  the  security  and  integrity  of  the  data. 
This  chapter  summarizes  our  review  of  the  Foundation  Program 
application. 
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Documentation 


Application  documentation  is  an  essential  component  of  good 
EDP  controls.  Documentation  provides  a  description  of 
computer-processing  activities  and  its  impact  on  user  groups. 
Adequate  documentation  provides  a  starting  point  for  under- 
standing a  processing  application.  AICPA  guidelines  indicate 
documentation  generally  provides  the  following: 

1.  An  understanding  of  the  system's  objectives. 

2.  A  source  of  information  for  those  responsible  for  using 
the  system. 

3.  Information  necessary  for  supervisor  review. 

4.  A  basis  for  training  new  employees. 

5.  A  means  of  communicating  information  to  other  system 
users. 

6.  A  source  of  information  regarding  system  controls. 

7.  A  source  of  information  to  ensure  continuity  of 
processing. 

We  reviewed  the  application  documentation  for  the  Foundation 
Program.   We  noted  several  areas  where  application  documen- 
tation should  be  improved. 


Input  Procedures 


OPI  presently  employs  one  full-time  and  four  part-time  data 
entry  personnel.   Input  procedures  are  not  formalized  increasing 
the  risk  of  input  error  and  processing  delays.   As  discussed  on 
page  21,  OPI's  long-range  plans  include  on-line  data  entry  by 
district  personnel.   In  anticipation  of  this  change,  OPI  should 
ensure  user  input  manuals  are  prepared  which  outline  input 
procedures  for  the  district  personnel. 
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Edit  Creation  and  Use 


OPI's  primary  method  of  ensuring  data  accuracy  is  through  the 
validity  edit  checks.   Application  edits  are  designed  to  compare 
input  data  to  preestablished  limits  and  reasonableness  tests.   OPI 
incorporated  two  types  of  edits  within  the  system:   fatal  edits 
and  warning  edits.   Fatal  edits  prevent  further  processing  until 
the  error  is  corrected.   Warning  edits  flag  the  data  as  a  possible 
error  but  will  not  prevent  further  processing.   OPI  management 
assigned  these  edit  types  based  on  their  opinion  of  data  criti- 
cality.   No  documentation  of  the  edit  creation,  modification,  or 
designation  process  exists.   Without  adequate  documentation, 
unauthorized  edits  may  be  added  to  the  application  or  original 
edits  changed  without  being  detected.  OPI  should  formally  docu- 
ment system  edits  to  provide  an  adequate  audit  trail  of  edits  and 
edit  changes.   In  addition,  OPI  should  adequately  document  edits 
to  ensure  user  understanding  and  support  edit  designation. 


Error  Correction 
Procedures 


OPI  employs  one  full-time  person  for  data  corrections.   Her 
procedures  are  not  formally  documented.   In  her  absence,  the 
error  correction  process  may  be  extensively  delayed.   Currently, 
OPI  makes  estimated  monthly  payments  starting  in  July  to  school 
districts  until  final  budget  reports  are  processed.   OPI's  goal  is  to 
begin  making  monthly  payments  based  upon  actual  data  in 
November  of  each  year.  Since  actual  equalization  payments  can- 
not be  processed  until  errors  are  corrected,  the  timing  of  actual 
payments  could  be  significantly  delayed.   This  delay  in  making 
actual  payments  and  continued  use  of  estimated  payments  could 
increase  the  risk  of  district  overpayments.   Proper  documentation 
could  help  ensure  the  timely  correction  of  errors  and  continued 
operations. 


Data  Transmittal 
Procedures 


OPI  receives  over  530  final  budget  reports  from  Montana  school 
districts.   The  majority  of  reports  received  are  sent  to  Salt  Lake 
City  for  keypunch.   While  OPI  has  procedures  for  batching  and 
sending  these  forms,  OPI  has  not  formally  documented  these 
procedures.   Proper  documentation  would  ensure  the  data  is 
properly  batched  and  sent.   Documented  procedures  would 
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decrease  the  risk  these  forms  would  be  lost  or  damaged  during 
transit. 


Output  Distribution 


Finally,  system  output  consists  of  final  payment  reports,  SBAS 
data,  direct  deposit  data,  and  warrant  data.   Policies  and  pro- 
cedures for  the  distribution  of  output  are  not  formally  docu- 
mented increasing  the  risk  of  payment  and  report  distribution 
delays.   In  addition,  proper  documentation  could  ensure  all 
output  is  distributed  and  received  only  by  authorized  personnel. 


Summary 


Overall,  we  found  little  application  documentation  related  to  the 
Foundation  Program.   Improving  system  documentation  would 
decrease  the  risk  of  improper  data  input  or  processing.   In 
addition,  adequate  documentation  would  ensure  the  continuity  of 
operations  in  the  event  of  employee  turnover  or  absence. 


Recommendation  #6 
We  recommend  OPI: 


Document  Foundation  Program  application  objec- 
tives; manual  input,  processing,  and  output 
procedures;  error  correction  procedures;  and 
processing  information. 

Establish  policies  and  procedures  which  ensure 
applications  developed  for  OPI  are  adequately 
documented. 


"Fatal"  Edits  Can  be 
Bypassed 


Prior  to  final  processing,  the  data  in  the  Foundation  Program 
database  is  subject  to  a  series  of  edits  which  compare  data  to: 

1.  Other  amounts  or  totals  from  the  final  budget  report. 

2.  Data  maintained  on  other  OPI  applications. 
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3.  Calculations  performed  by  the  application. 

If  the  data  does  not  pass  these  comparisons,  the  application  will 
produce  an  error  report  which  details  the  error  and  the  action 
needed  to  correct  the  error. 

As  noted  in  the  previous  section,  application  edits  are  controls 
designed  to  ensure  data  accuracy.   In  the  Foundation  Program, 
edits  can  be  designated  as  "fatal"  or  "warning."  Fatal  edits 
identify  fatal  errors  in  input  data  which  halt  processing. 
Warning  edits  cause  warning  messages  but  permit  processing  to 
continue.   During  testing,  we  noted  data  correction  personnel  can 
change  a  fatal  error  to  a  warning  message.   This  gives  the 
employee  the  capability  to  override  the  fatal  edit  without  cor- 
recting the  error  and  allows  processing  to  continue.   Management 
has  not  documented  the  assignment  of  override  capabilities.   We 
could  not  determine  the  reasonableness  of  override  rights 
assigned. 

With  the  ability  to  change  the  edits,  OPI  personnel  could 
inadvertently  or  purposely  change  a  critical  edit  permitting  the 
processing  of  incorrect  data.   This  circumvents  the  original 
purpose  of  the  fatal  edits.   OPI  should  restrict  the  ability  to 
override  fatal  edits  and  require  approval  for  all  overrides. 

As  noted  in  the  application  documentation  section,  we  found  no 
documentation  related  to  the  creation,  modification,  or  desig- 
nation of  edits.   Overall,  we  found  little  documentation  related 
to  the  Foundation  Program  application.   We  believe  OPI  should 
establish  policies  and  procedures  which  ensure  all  phases  of  an 
application,  including  edit  override  capabilities,  be  documented. 


Recommendation  #7 

We  recommend  OPI  establish  policies  and  procedures 
which  restrict  the  use  of  the  Foundation  Program's  edit 
override  function  and  require  documentation  for  all 
overrides. 
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On-Line  Edits  OPI  designed  input  edits  and  preprocessing  edits  into  the 

Foundation  Program  application.  The  input  edits  are  designed  to 
detect  certain  keying  errors  made  during  initial  data  input.   For 
example,  input  edits  will  not  allow  an  alpha  character  in  a 
"numeric  only"  field.   Data  fields  are  defined  as  numeric  only, 
date  only,  or  alphanumeric.   Alphanumeric  fields  permit  any 
character  to  be  input. 

After  input,  the  same  data  is  subject  to  the  more  detailed 
preprocessing  edits.   Preprocessing  edits,  whether  fatal  or 
warning,  verify  data  against  various  sources  including  validity 
tables  and  other  applications.   For  example,  during  this  edit 
phase  the  application  verifies  the  county  number  entered  against 
a  validity  table  which  requires  the  field  to  equal  any  number 
between  01  and  56. 

We  tested  all  input  edits  and  preprocessing  fatal  edits.   In 
addition,  we  tested  several  preprocessing  warning  edits.   We 
found  the  edits  tested  operate  as  intended  by  OPI. 

While  the  edits  operate  as  defined,  we  found  1 1  input  edits 
which  permit  alphanumeric  characters  to  be  entered  when  only 
numeric  characters  would  pass  preprocessing  edits.   For  example, 
the  input  field  for  county  number  is  defined  as  alphanumeric.   If 
an  alpha  character  was  input,  the  data  would  be  accepted.   How- 
ever, as  noted  above,  the  county  number  is  limited  during  pre- 
processing edits  to  numbers  between  01  and  56.   This  particular 
preprocessing  edit  is  designated  as  a  fatal  edit  and  processing 
would  stop  if  a  nonnumeric  character  were  detected. 

We  believe  the  input  edits  should  be  designed  to  correspond  to 
related  preprocessing  edits.   By  changing  the  designation  for 
these  fields  to  numeric  only,  OPI  could  prevent  inadvertent 
errors  which  cause  fatal  errors  and  ensure  efficient  use  of 
preprocessing  edits. 
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Recommendation  #g 

We  recommend  OPI  review  the  Foundation  Program 
application  input  edits  to  ensure  compatibility  with  related 
preprocessing  edits. 


Processing  Controls 


Background 


According  to  AICPA  guidelines,  processing  controls  should  be 
incorporated  into  each  application  to  provide  reasonable 
assurance  computer  processing  performs  as  intended.   Controls 
should  ensure  all  transactions  are  processed  as  authorized,  no 
authorized  transactions  are  omitted,  and  no  unauthorized 
transactions  are  added.  This  is  accomplished  through  manual  or 
electronic  controls  designed  to  ensure  transactions  passing 
through  the  application  are  complete  and  accurate.   Examples  of 
processing  controls  include: 

1.  Limit  and  reasonableness  checks  such  as  edits  designed  to 
search  for  unusually  high  dollar  amounts. 

2.  Batch  totals  which  ensure  all  transactions  entered  through 
keypunch  were  accurately  and  completely  entered. 

3.  Run-to-run  control  totals  which  ensure  the  number  of 
transactions  entered  were  included  in  processing. 

We  noted  OPI  incorporated  numerous  limit  and  reasonableness 
checks,  or  edits,  within  the  Foundation  Program  application. 
OPI  relies  heavily  on  these  edits  to  ensure  the  data  processed 
through  the  application  is  valid.    In  addition,  we  noted  OPI 
batches  the  final  budget  reports  sent  to  keypunch.   However,  the 
batch  counts  only  include  the  number  of  reports  sent  to  key- 
punch and  provide  no  assurance  regarding  the  accuracy  of  the 
data  entered  or  processed.   Ideally,  the  batch  process  would 
include  a  total  of  all  numeric  fields  entered  to  prevent  data  entry 


Page  19 


Chapter  III 

Foundation  Program  Application 


errors  and  later  to  ensure  all  transactions  processed.   In  OPI's 
present  processing  environment,  this  level  of  batch  totals  is  not 
cost  effective.   As  a  compensation,  OPI  requires  the  data  to  be 
key  verified.   Key  verification  includes  re-entering  data  by 
someone  other  than  the  initial  input  person.  The  system  com- 
pares the  data  entered  by  each  individual  and  flags  differences. 


Processing  Control  As  discussed  in  previous  sections,  we  found  application  edits  are 

Weaknesses  adequate  and  operate  as  described.  In  addition,  we  traced  source 

documentation  through  the  system  to  ensure  application  output 
was  correct.   We  determined  data  maintained  on  the  application 
is  accurate  at  this  time.   However,  since  OPI's  processing  con- 
trols are  limited  to  edits  and  a  verification  of  the  number  of 
reports  entered,  we  believe  processing  controls  could  be 
strengthened. 

As  noted  above,  OPI  relies  on  the  limit  and  reasonableness 
checks  incorporated  in  the  application  to  verify  data  entered  and 
processed.   However,  we  noted  a  lack  of  documentation  related 
to  application  edits,  edits  which  can  be  bypassed  by  users,  and 
incompatibility  between  input  and  preprocessing  edits.   Given 
these  concerns,  we  question  OPI's  reliance  on  the  edit  process. 

In  addition,  we  found  little  documentation  regarding  OPI's 
development  of  the  Foundation  Program  application  and  a  lack 
of  control  over  the  changes  to  the  database.   As  a  result,  OPI  can 
not  identify  or  control  application  changes.   The  possibility  that 
unauthorized  changes  could  be  made  to  application  programming 
compromises  the  integrity  of  the  system.  Proper  authorization 
and  documentation  of  changes  to  the  database  would  provide  an 
audit  trail  assuring  continuity  of  processing  from  year  to  year. 

Given  the  weaknesses  we  identified,  we  believe  additional  con- 
trols surrounding  application  processing  would  improve 
application  integrity. 
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Future  Processing  OPI  has  long-range  plans,  through  technology  recently  made 

Considerations  available  at  the  school  districts,  which  include  decentralization 

of  input.   OPI  plans  to  change  the  Foundation  Program  applica- 
tion to  incorporate  data  entry  at  districts.  OPI's  plan  would 
require  districts  to  electronically  enter  the  final  budget  data  and 
transmit  that  data  to  Helena.  This  process  would  eventually  be 
expanded  to  include  input  from  the  county  regarding  the 
Trustee's  Report  and  other  automated  information  OPI  currently 
maintains. 

Since  OPI  is  in  the  early  planning  stages  of  this  change,  we 
believe  OPI  should  consider  incorporating  more  controls  within 
the  application.   For  example,  the  amounts  on  the  final  budget 
report  could  be  electronically  totalled  and  later  verified  in 
Helena  against  the  total  received.  This  process  ensures  all  data 
sent  from  each  district  was  actually  received. 

As  noted  on  page  14,  OPI  has  not  documented  current  input 
procedures.  The  risk  of  input  error  increases  substantially  when 
data  entry  is  decentralized.  To  compensate  for  the  increased 
risk,  OPI  should  ensure  each  district  has  an  adequate  user's 
manual  which  identifies  input  procedures,  error  messages  and 
corrective  action,  and  procedures  for  obtaining  help.   In  addi- 
tion, OPI  should  ensure  all  users  receive  formalized  training. 

Overall,  we  believe  OPI  should  ensure  this  change  to  the  Foun- 
dation Program  application  be  adequately  documented  including 
change  objectives,  implementation  plans,  and  procedure 
manuals. 
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Recommendation  #9 
We  recommend  OPI: 

A.  Include  batch  and  electronic  control  totals  in  future 
updates  to  the  Foundation  Program  application. 

B.  Ensure  the  decentralization  process  of  data  entry 
includes  adequate  application  documentation,  user 
documentation,  user  training,  and  improved 
processing  controls. 
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The  Office  of  Public  Instruction 

Nancy  Keenan  f         \  Helena!  Mo^n'ana°  59620 

State  Superintendent  \        J  ^^^^^  ^^^3^3^ 


June  2,  1992 


Scott  Seacat 

Office  of  the  Legislative  Auditor 
State  Capitol,  Room  135 
Helena,  Montana  59620 

Dear  Mr.  Seacat: 

I  want  to  thank  the  auditor  and  his  staff  for  the  professional  review  and  assistance  in  this 
audit. 

Since  1989  we  have  been  operating  in  an  environment  of  educational  funding  change, 
METNET  Implementation,  budget  reduction  and  the  necessity  of  operating  parallel 
computer  systems,  one  IBM  PC  based  and  the  other  Honeywell  Mainframe  based.  In  that 
environment  is  a  challenge  to  get  the  job  done  on  time  and  guarantee  all  the  necessary 
documentation  is  completed.  As  in  most  development  projects,  the  demand  for  timely 
completion  of  the  project  overrode  the  demand  for  adequate  documentation. 

I  am  pleased  with  the  overall  conclusion  that  the  Foundation  Program  design  is  adequate 
and  the  present  data  accurate.  Now  it  is  time  for  us  to  move  on  to  the  documentation 
side  of  the  project.  Elimination  of  the  Honeywell  System  in  June  of  1 992  and  installation 
of  the  final  METNET  site  in  July  of  1992  should  free  up  staff  sufficiently  to  address  the 
recommendation  of  the  legislative  auditors.  I  appreciate  their  timely  and  professional 
advice. 


Sincerely, 


A 


NK 
Attachment 


K. 
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Audit  Report 

Response  to  Recommendation 

1.  We  recommend  OPI: 

a.  Establish  written  policies  and  procedures  which  adequately  document  the  imple- 
mentation and  maintenance  of  general  controls. 

Response:  Concur.    We  will  develop  a  work  plan  by  August  1,  1992  to  address 

this  documentation. 

b.  Require  periodic  evaluation  of  general  controls  to  ensure  security  over  computer  data 
and  information  resources  in  compliance  with  state  law. 

Response:  Concur.   That  will  be  included  as  a  part  of  the  work  plan  addressed 

in  la  above. 

2.  We  recommend  that  OPI  improve  disaster  recovery  policies  and  procedures  by: 

a.  Outlining  step-by-step  procedures  for  hardware  and  application  recovery. 

Response:  Concur.  Those  procedures  will  be  addressed  in  a  work  plan  developed 

in  the  response  to  recommendation  la. 

b.  Documenting  system  backup  procedures. 

Response:  Concur.  We  will  address  this  issue  in  our  work  plan  developed  in  the 

response  to  la. 

3.  We  recommend  OPI: 

a.  Establish  a  target  date  to  create  documentation  for  the  Foundation  Program  applica- 
tion which  includes  objectives,  programs,  procedures,  changes  and  testing. 

Response:  Concur.  The  target  date  for  this  process  to  begin  will  be  September  1, 

1992,  with  a  completion  goal  of  December  31,  1992. 

b.  Revise  the  change  request  form  to  require  final  approval  by  user  management  after 
a  change  is  complete. 

Response:  Concur.   This  form  will  be  revised  prior  to  printing  more  forms,  or 

September  1,  1992,  whichever  is  earlier. 

4.  We  recommend  OPI  establish  formal  policies  and  procedures  which  ensure  electronic  access 
rights  are  appropriately  assigned. 

Response:  Concur.  The  present  practice  will  be  reduced  to  writing  and  a  completion  date 

included  in  the  documentation  work  plan. 

5.  We  recommend  OPI: 

a.  Require  a  review  by  one  or  more  staff  members,  independent  of  development  team, 

of  new  applications  during  each  development  phase. 

Response:  Concur.  Although  the  review  has  been  completed  by  the  development 

team  in  the  past,  we  have  no  problem  reassigning  that  responsibility 
to  staff  members  not  directly  involved  in  the  development  process. 
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b.  Adequately  document  development  team  decisions  and  actions. 

Response:  Concur.  Minutes  of  the  development  team  decisions  will  be  recorded 

in  the  future  and  included  with  system  development  documentation. 

We  recommend  OPI: 

a.  Document  Foundation  Program  application  objectives;  manual  input,  processing,  and 
output  procedures;  error  correction  procedures;  and  processing  information. 

Response:  Concur.    Although  the  Foundation  Program  application  controls  are 

adequate,  we  recognize  the  value  of  a  procedures  manual  for  Founda- 
tion Program  data  processing  practice.  A  procedures  manual  will  be 
developed  during  this  processing  cycle  with  a  completion  goal  of 
December  31,  1992. 

b.  Establish  policies  and  procedures  which  ensure  applications  developed  for  OPI  are 
adequately  documented. 

Response:  Concur.  User  management  verification  of  adequate  documentation  will 

be  included  on  the  change  request  form.  System  documentation 
requirements  will  be  discussed  and  agreed  to  by  each  development 
team. 

We  recommend  OPI  establish  policies  and  procedures  which  restrict  the  use  of  the  Foundation 
Program's  edit  override  function  and  require  documentation  for  all  overrides. 

Response:  Concur.  That  will  be  established  as  part  of  the  documentation  effort  explained 

in  6a. 

We  recommend  OPI  review  the  Foundation  Program  application  input  edits  to  ensure  compat- 
ibility with  related  preprocessing  edits. 

Response:  The  changes  suggested  will  be  completed  by  June  30,  1992. 

We  recommend  OPI: 

a.  Include  batch  and  electronic  control  totals  in  future  updates  to  the  Foundation 
Program  application. 

Response:  Concur.    Recommendations  will  be  taken  into  consideration  in  the 

future  changes  to  the  Foundation  Program  once  the  system  is  out  of 
the  development  phase. 

b.  Ensure  the  decentralization  process  of  data  entry  includes  adequate  application  docu- 
mentation, user  documentation,  user  training,  and  improved  processing  controls. 

Response:  Concur.  It  should  be  noted  this  project  is  currently  only  in  the  concept 

phase.  However,  as  we  move  toward  developing  a  remote  on-line 
electronic  system  for  school  district  reporting,  we  will  attempt  to 
include  these  recommendations  wherever  possible. 
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